privacy

Just a few months ago I did a short presentation at the Ohio Information Security Forum on the dangers of CSS and Javascript browser history hijacking, with an actual demonstration on how your web browser's history can be parsed for interesting data for the purpose of harvesting information about your browsing habits.

A while back a team from the University of California, San Diego, came out with a white paper titled An Empirical Study of Privacy-Violating Information Flows in JavaScript Web Applications. The team compiled a list of websites which are using the javascript history hijacking technique, including Answers in Genesis in the list of evaluated sites, along many other websites serving pornography, malware and other malicious content. AiG did not use the CSS-only technique I presented at OISF and only focused on Javascript+CSS, meaning that a user that had Javascript turned off in his browser would have been safe from this kind of attack.